Mastering Multi-Stage Composite Detections in Chronicle SIEM

Published On Sat May 10 2025
Mastering Multi-Stage Composite Detections in Chronicle SIEM

Solved: Help Needed with Composite Rule: "detection source is not supported"

I'm working with composite detections in Google Security Operations (Chronicle SIEM) and running into an issue. I'm trying to implement a level 2 composite rule that consumes detections from a producer rule (login_with_location_producer) which extracts user email and login country from USER_LOGIN events.

Producer Rule

The producer rule works fine and persists detections:

rule login_with_location_producer {
    meta:
        author = "Google SecOps Gemini"
        description = "Produces detections with user email and login country from Google Workspace login events."
    events:
        $e.metadata.event_type = "USER_LOGIN"
        $e.target.user.email_addresses[0] = $user_email
        $e.principal.ip_geo_artifact[0].location.country_or_region = $login_country
    outcome:
        $target_user = $user_email
        $country = $login_country
    condition:
        $e
}

Composite Rule

The composite rule fails to parse with "detection source is not supported":

rule rapid_country_change_composite {
    meta:
        author = "Google SecOps Gemini"
        description = "Detects rapid login location change for a user within 1 hour."
        severity = "High"
    events:
        $d1.detection.detection.rule_name = "login_with_location_producer"
        $user1 = $d1.detection.detection.outcomes["target_user"]
        $country1 = $d1.detection.detection.outcomes["country"]
        $d2.detection.detection.rule_name = "login_with_location_producer"
        $user2 = $d2.detection.detection.outcomes["target_user"]
        $country2 = $d2.detection.detection.outcomes["country"]
    match:
        $user1 = $user2 over 1h
    condition:
        $d1 and $d2 and $country1 != $country2
}

Afi data access events in the Google Workspace audit logWhat exactly causes this "detection source is not supported" error? Is there a known issue with using detection.detection.* fields in composite rules? Any best practices for chaining composite rules like this that I may have missed? Appreciate any guidance or examples from others who’ve worked with multi-stage composite detections in Chronicle. Thanks!

The very short answer is that if you are seeing the detection source is not supported means that the functionality has not rolled to your tenant yet. The rollout is handled in a "wave" so that the engineering team can respond to an issue in case it crops up, so it is coming, but it isn't there yet. Based on that there is not a known issue. There are two blogs posted already about it and more will be coming. It's great to see the enthusiasm for this capability!

Eliminate Detection Coverage Gaps with Automation and MITRE ATT&CK ...Location change detection task Note that the fixation cross is not displayed in this.

TRENDING

Mistral AI Models: Uncovering the Dangers for Child Safety

Mistral AI Models: Uncovering the Dangers for Child Safety

Sat May 10 2025

The Pros and Cons of Using ChatGPT in the Classroom

The Pros and Cons of Using ChatGPT in the Classroom

Sat May 13 2023

10 Captivating Updates from OpenAI and Instacart's CEO Shift

10 Captivating Updates from OpenAI and Instacart's CEO Shift

Sat May 10 2025

10 Things You Didn't Know About ChatGPT

10 Things You Didn't Know About ChatGPT

Sat May 13 2023

RELATED

Mistral AI Models: Uncovering the Dangers for Child Safety

Mistral AI Models: Uncovering the Dangers for Child Safety

Sat May 10 2025

The Pros and Cons of Using ChatGPT in the Classroom

The Pros and Cons of Using ChatGPT in the Classroom

Sat May 13 2023

10 Captivating Updates from OpenAI and Instacart's CEO Shift

10 Captivating Updates from OpenAI and Instacart's CEO Shift

Sat May 10 2025

10 Things You Didn't Know About ChatGPT

10 Things You Didn't Know About ChatGPT

Sat May 13 2023

Elevate Your Service Management with Tikit's Integrations

Elevate Your Service Management with Tikit's Integrations

Sat May 10 2025

Find Your Dream Home with Redfin’s ChatGPT Plug-In

Find Your Dream Home with Redfin’s ChatGPT Plug-In

Sat May 13 2023

The Indo-Pak Escalation: May 2025 Ceasefire Update

The Indo-Pak Escalation: May 2025 Ceasefire Update

Sat May 10 2025

10 Catchy Titles for Your Blog Post

10 Catchy Titles for Your Blog Post

Mon Apr 29 2024

Unleashing the Power of OpenAI API for Developers

Unleashing the Power of OpenAI API for Developers

Sat May 10 2025

Lawsuit Alert: Newspapers vs. OpenAI and Microsoft

Lawsuit Alert: Newspapers vs. OpenAI and Microsoft

Wed May 01 2024

Breaking Barriers: AMD's Open-Source AI Success Story

Breaking Barriers: AMD's Open-Source AI Success Story

Sat May 10 2025

10 Catchy Titles for Your Blog Post:

10 Catchy Titles for Your Blog Post:

Wed May 01 2024

Unleashing AI: The Copyright Conflict Unraveled

Unleashing AI: The Copyright Conflict Unraveled

Sat May 10 2025

10 Catchy Titles for Your Blog Post

10 Catchy Titles for Your Blog Post

Thu May 02 2024

Decoding the AI Race: Insights from Tech Execs

Decoding the AI Race: Insights from Tech Execs

Sat May 10 2025

10 Catchy Titles for Your Blog Post:

10 Catchy Titles for Your Blog Post:

Thu May 02 2024

Olympus OS: Redefining Vehicle Intelligence and Connectivity

Olympus OS: Redefining Vehicle Intelligence and Connectivity

Sat May 10 2025

Is OpenAI Developing a ChatGPT-Powered AI Search Engine?

Is OpenAI Developing a ChatGPT-Powered AI Search Engine?

Wed May 08 2024

Dive into the World of Apple: The MacRumors Show Podcast

Dive into the World of Apple: The MacRumors Show Podcast

Sat May 10 2025

10 Catchy Titles for Your Blog Post

10 Catchy Titles for Your Blog Post

Thu May 09 2024

© 2024 - All Rights Reserved